Commit 885e8f98 authored Aug 09, 2013 by Isaku Yamahata Committed by Anthony Liguori Aug 12, 2013

rdma: use resp.len after validation in qemu_rdma_registration_stop



resp.len is given from remote host. So should be validated before use.
Otherwise memcpy can access beyond the buffer.

Cc: Michael R. Hines <mrhines@us.ibm.com>
Reviewed-by: Orit Wasserman <owasserm@redhat.com>
Reviewed-by: Michael R. Hines <mrhines@us.ibm.com>
Signed-off-by: Isaku Yamahata <yamahata@private.email.ne.jp>
Signed-off-by: Michael R. Hines <mrhines@us.ibm.com>
Message-id: 1376078746-24948-2-git-send-email-mrhines@linux.vnet.ibm.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

parent 6dd2a5c9

migration-rdma.c

+3 −4

Original line number	Diff line number	Diff line
		@@ -3045,10 +3045,6 @@ static int qemu_rdma_registration_stop(QEMUFile f, void opaque,
		return ret;
		}

		qemu_rdma_move_header(rdma, reg_result_idx, &resp);
		memcpy(rdma->block,
		rdma->wr_data[reg_result_idx].control_curr, resp.len);

		nb_remote_blocks = resp.len / sizeof(RDMARemoteBlock);

		/*
		@@ -3070,6 +3066,9 @@ static int qemu_rdma_registration_stop(QEMUFile f, void opaque,
		return -EINVAL;
		}

		qemu_rdma_move_header(rdma, reg_result_idx, &resp);
		memcpy(rdma->block,
		rdma->wr_data[reg_result_idx].control_curr, resp.len);
		for (i = 0; i < nb_remote_blocks; i++) {
		network_to_remote_block(&rdma->block[i]);